Poisoning your own DNS for fun and profit

When you type a phrase into the Windows Vista Start menu's search box and click Search the Internet, then the Start menu hands the query off to your default Internet search provider.

Or at least that's what the Illuminati would have you believe.

A customer reported that when they typed a phrase into the Search box and clicked Search the Internet, they got a screenful of advertisements disguised to look like search results.

What kind of evil Microsoft shenanigans is this?

If you looked carefully at the URL for the bogus search "results", the results were not coming from Windows Live Search. They were coming from a server controlled by the customer's ISP.

That was the key to the rest of the investigation. Here's what's going on:

The ISP configured all its customers to use the ISP's custom DNS servers by default. That custom DNS server, when asked for the location of search.live.com, returned not the actual IP address of Windows Live Search but rather the IP address of a machine hosted by the ISP. (This was confirmed by manually running nslookup on the customer machine and seeing that the wrong IP addresses were being returned.) The ISP was stealing traffic from Windows Live Search. It then studied the URL you requested, and if it is the URL used by the Start menu Search feature, then it sent you to the page of fake search results. Otherwise, it redirected you to the real Windows Live Search, and you're none the wiser, aside from your Web search taking a fraction of a second longer than usual. (Okay, snarky commenters, and aside from the fact that it was Windows Live Search.)

The fake results page does have an About This Page link, but that page only talks about how the ISP intercepts failed DNS queries (which has by now become common practice). It doesn't talk about redirecting successful DNS queries.

I remember when people noticed widespread hijacking of search traffic, and my response to myself was, "Well, duh. I've know about this for years."

Bonus chatter: It so happens that the offending ISP's Acceptable Use Policy explicitly lists as a forbidden activity "to spoof the URL, DNS, or IP addresses of «ISP» or any other entity." In other words, they were violating their own AUP.


Comments (28)
  1. skSdnW says:

    I'm guessing the ISP is no longer doing this? If they are, you should name and shame so people can stay away.

  2. Yildo says:

    Is it possible that Vista's search box does a DNS lookup on the query before sending it to a search provider?

    Win7 isn't offering me the option to search the internet, so I can't verify.

    [How do you expect to send a request to a search provider without doing a DNS query? -Raymond]
  3. Larry Hosken says:

    "investigation"… does this mean that the customer complained to Microsoft about this? Do customers complain to Microsoft every time the internet does stuff that seems broken? Oh man, the MS support folks must need hugs, like, every_day.

  4. xpclient says:

    @Yildo, enable the option from Group Policy on W7 to search the internet.

  5. Joshua says:

    [How do you expect to send a request to a search provider without doing a DNS query? -Raymond]

    By replicating Google's trick of, only this time with self-signed SSL and the public key shipped with Windows. Surely MS can use one of its addresses for that purpose. It has a class B.

    That's be my response to this kind of tampering.

    ["What kind of evil Microsoft shenanigans is this? Stealing all my DNS traffic and breaking my intranet." -Raymond]
  6. Philipp says:

    I'm not sure it's entirely the ISP who's at fault here. Why is the default search not using SSL? And why doesn't bing support SSL?

    For a site as large as bing, this is embarrassing:

    $ openssl s_client -connect http://www.bing.com:443 | grep subject -B 2 -A 2


    subject=/C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net

    issuer=/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

  7. Joshua says:

    @Philipp: They used a CD to change DNS. They could have injected their SSL Cert just as easily. The only defense against a rogue SSL provider is self-signed SSL.

  8. Evan says:

    @Joshua: "They could have injected their SSL Cert just as easily. The only defense against a rogue SSL provider is self-signed SSL."

    Wait. I'm by no means particularly knowledgeable about SSL, but your statement sounds backwards to me.

    First, wouldn't injecting their own SSL cert not have worked unless they were able to register a new CA on the user's machine (or convince an existing one that they were running bing.com)? I thought that was the POINT of certificates. Second, I thought self-signed certs provide NO protection against MITM attacks, because they're not signed by a party (a CA) that the user has out-of-band knowledge about.

  9. Sockatume says:

    Out of curiosity, why was the "Search the internet" function of the start menu disabled by default in Windows 7? I always found it to be a very useful feature (and was pleased to see an equivalent function in Windows 8).

  10. Joshua says:

    @Evan: The protection comes from Self-signed cert accessed by your code and your code will accept no other except your own public key, which is compiled into the binary.

  11. imscared says:


    The content of the article is likely a hint.

  12. @Evan: if you can convince the user to run code that you wrote, you can add your signing certificate to their trusted certificate store.  See certutil -addstore


  13. Can Microsoft sue ISP in situation like this?

  14. Joshua says:

    ["What kind of evil Microsoft shenanigans is this? Stealing all my DNS traffic and breaking my intranet." -Raymond]

    Wow I didn't even realize this had another way to read. Let's try this way: To defeat the ISP's mechanism, the default search provider should be changed to be self-signed SSL with a well-known public key to an IP address owned by Microsoft.

    But yeah I would not dare redirect all DNS lookups through Microsoft's servers. That way lies madness.

    [Well, since the electrons leaving your house hit the ISP's routers first, they could always redirect all traffic destined for the hard-coded Microsoft IP address to their private servers instead. The problem is still there, just at a different layer. (I'm just talking about the DNS part, not the SSL part. The SSL part runs into legal issues re export restrictions.) -Raymond]
  15. they were violating their own AUP

    Meh. The AUP is an agreement between a party that agrees to provide service (the ISP) and another party that agrees to pay (the customer.) The forbidden activity clause was likely meant to apply to the customer, not to the ISP.

  16. Joshua says:

    Did nobody get that I meant search provider =

    I wonder what IE does when fed an SSL path on one of those areas affected by export restrictions.

  17. Henning Makholm says:

    @Joshua: That would break every installed copy of the OS if the IANA decides to tell Microsoft that their IPv4 block is being reassigned and would they please migrate to this other one before the end of next month? IP allocations come with an explicit understanding that the registry can change it at any time. This doesn't happen often (being a pain for everybody involved), but if word got out that a company as widely reviled as Microsoft hardcoded an IP address in their distributed software, the risk that somebody in the decision loop would feel motivated to think up a technically convincing reason that the block needed to be reallocated would be significant.

  18. Joshua says:

    @Henning Makholm: Microsoft has one of the old-school IP assignments that cannot be pulled without a stack of contract violations. While these may well all be pulled if IPv6 fails, at that stage the costs involved are a lot worse than one patch to what turned out to be one version of the OS.

  19. Evan says:

    @Joshua, @Maurits:

    Both good points. For the "won't self-signed be worse" example, I was thinking too much in the web situation — the OS vendor certainly has a very easy-to-use out-of-band communication mechanism to transfer their public key. :-) As for the "the user won't have the CA" argument, I was thinking too much of people like myself who just ignore the CD from the ISP. I'd like to think that no ISP would *actually* install a new CA that they explicitly use for spoofing sites, but… well, let's just say I suspect there's someone out there who could disappoint me.

  20. cheong00 says:

    ["What kind of evil Microsoft shenanigans is this? Stealing all my DNS traffic and breaking my intranet." -Raymond]

    I think Microsoft has done this once before, by hardcoding Windows Update Server IP so PCs won't be tricked to install update from fake update server by DNS poisoning.

    If Microsoft would consider the ISP's action a security threat, Microsoft might do that once again.

  21. Anonymous Coward says:

    Although, Joshua, manually specifying different DNS servers may help,* and if more ISPs are starting to spoof DNS than maybe Windows shouldn't use the ISPs DNS servers any more. This would then also necessitate checking that the DNS server behind one of the built-in IPs isn't itself faked by the ISP of course.

    However, I think that if this happens to you, you should immediately switch ISPs. There are plenty of ISPs that don't muck with your traffic. And send a letter to your previous ISP stating in no uncertain terms why you switched.

    * I had to do this myself not because the ISP was evil, but because their DNS servers where slow and often crashed. So I specified some third party DNS servers. DNS is too important to be left to the ISP.

  22. Matt says:

    @cheong: Updates come from update.microsoft.com, not from a hardcoded IP address. Microsoft fixes the "fake update pwning my system" attack by signing the updates using a public key burned into the Windows Update software.

    You can DNS poison Windows Updates. But you can't get it to install updates that Microsoft didn't author.

  23. Gabe says:

    Switching ISPs might be a nice idea, but it's easier said than done. Some devices (like a 4G tablet or phone) don't have a choice of ISPs. Many places only have a single broadband provider. My location has exactly two, and I'm already using the good one. I'm not going to switch sides to the Empire just because the Rebel Alliance did something really stupid.

    Back when all Internet access was dial-up, there were few differences between ISPs. You wouldn't have to worry about getting a slower connection from one than another, but switching was painful because most people had email addresses connected to their ISP. If you switched ISPs, you had to switch email addresses, which is probably worse than switching broadband providers.

  24. Damien says:

    @cheong00 – I think what you're referring to is where certain address lookups bypass the hosts file. They still use DNS – what they prevent is a change on the local machine *preventing* DNS lookups from occurring.

  25. Rick C says:

    @Henning Makholm, "if the IANA decides to tell Microsoft that their IPv4 block is being reassigned"

    To where, exactly, would Microsoft's block be reassigned?  Even ignoring Joshua's comment about contracts, they'd probably have to reassign a whole lot of other folks to find a space for it.

  26. ErikF says:

    @Neil: Probably not, but if someone is in control of your connection to the Internet they could spoof the IP address of a host (not) quite as easily as spoofing DNS. Once you are at a point where you can't trust the infrastructure that you're on, nothing short of maybe VPN to a trusted infrastructure is going to help.

    If I were in this situation, I'd take it up with my government's telecommunication regulator. I would think that this violates your right to privacy just like if your phone company tapped your line without legal need.

  27. kog999 says:

    "If I were in this situation, I'd take it up with my government's telecommunication regulator"

    I'm sure they'll get right on that.

  28. Neil says:

    Would hard-coding the correct IP address in your hosts file* be a violation of their AUP?

    *Or local caching DNS server, so that you can fix your entire LAN at once.

Comments are closed.

Skip to main content